multiple user password protection

Re: multiple user password protection


"Lou" <louise@msc-ltd.co.uk> wrote in message news:35f5cc5f.0 501280243.42d74 97c@posting.goo gle.com...[color=blue]
> Please can someone put me out my misery!
> Im trying to find a multiple user/password protection script that will
> redirect the specific user to a specific directory.[/color]
[...][color=blue]
> L[/color]

make a link to a page call login.php?ref=X .php

where X.php is the referring page

then save the code below as login.php

It works for me..., but I am only a beginner.


<?php

$front = '<!--start-->'; //put the start of your html file here....

$end = '<!---end-->'; //put the end your html file here
?>
<?php
if ($HTTP_POST_VAR S["username"]=="") {
echo $front;
?>
<H1>Login to myurl.com</H1>
Please enter your details below:<BR>
<FORM METHOD="post" ACTION="login.p hp?ref=<?php echo $ref; ?>" ID="frm">
<LABEL CLASS="mul">Use rname: <INPUT TYPE="text" NAME="username" SIZE="20" ID="username"> </LABEL>
<LABEL CLASS="mul">Pas sword: <INPUT TYPE="password" NAME="password" SIZE="15" ID="password"> </LABEL><BR><BR>
<DIV STYLE="text-align: center;">
<INPUT TYPE="Submit" VALUE="log in" ID="submit" NAME="submit" CLASS="submit">
</FORM>
<?php echo $end; ?>
<?php
}
else{
// _______________ _______________ _______________ __________ clean out previous entries
session_registe r("permission") ;
session_registe r("username") ;

$username=$HTTP _POST_VARS["username"];
$password=$HTTP _POST_VARS["password"];
$permission = 0;
session_start() ;
if ($username=="lo gin" AND $password=="pas sword"){ $permission = 1;}
if ($username=="se condlogin" AND $password=="mas terpassword"){ $permission = 2;}
//etc...
$username=$HTTP _POST_VARS["username"];
session_registe r("permission") ;
session_registe r("username") ;
if ($permission > 0){
session_start() ;
echo $front;
?>
<H1>welcome <?php echo $username; ?></H1>

<?php
if (strpos($ref, '.php') === false) {
$ref .= '.php?';
}
echo 'Congratulation s, login correct. <A HREF="'.$ref.'& amp;PHPSESSID=' .session_id().' ">Please continue</A>.';
echo $end;
?>
<?php
}
else{
?>
<?php echo $front; ?>
<H1>please try again <?php echo $username; ?></H1>
Sorry: login NOT correct. <A HREF="login.php <?php echo '?ref='.$ref; ?>">Please try again</A>.
<?php echo $end; ?>
<?php
}
?>
<?php
}
?>



Then, in other pages, that you want to password protect, you put.

<?php
session_start() ;
if ($permission < 1) {
echo 'please <A HREF="login.php ?ref=mypage.php ">login first</A>';
}
else {
[rest of the page.....]
}

Note that for this way you do need to use sessions... how they work, I have no idea, but they seem to work for me ... lol

- Nicolaas

Re: multiple user password protection

Don't do it this way. If register globals is turned on, visitors can simply
go to one of your "password protected" pages, add "?permissio n=1" to the URI
and they will be allowed in.

- Kevin

"WindAndWav es" <access@ngaru.c om> wrote in message
news:l5pKd.1257 3$mo2.966995@ne ws.xtra.co.nz.. .[color=blue]
>
> "Lou" <louise@msc-ltd.co.uk> wrote in message
> news:35f5cc5f.0 501280243.42d74 97c@posting.goo gle.com...[color=green]
>> Please can someone put me out my misery!
>> Im trying to find a multiple user/password protection script that will
>> redirect the specific user to a specific directory.[/color]
> [...][color=green]
>> L[/color]
>
> make a link to a page call login.php?ref=X .php
>
> where X.php is the referring page
>
> then save the code below as login.php
>
> It works for me..., but I am only a beginner.
>
>
> <?php
>
> $front = '<!--start-->'; //put the start of your html file here....
>
> $end = '<!---end-->'; //put the end your html file here
> ?>
> <?php
> if ($HTTP_POST_VAR S["username"]=="") {
> echo $front;
> ?>
> <H1>Login to myurl.com</H1>
> Please enter your details below:<BR>
> <FORM METHOD="post" ACTION="login.p hp?ref=<?php echo $ref; ?>"
> ID="frm">
> <LABEL CLASS="mul">Use rname: <INPUT TYPE="text" NAME="username"
> SIZE="20" ID="username"> </LABEL>
> <LABEL CLASS="mul">Pas sword: <INPUT TYPE="password" NAME="password"
> SIZE="15" ID="password"> </LABEL><BR><BR>
> <DIV STYLE="text-align: center;">
> <INPUT TYPE="Submit" VALUE="log in" ID="submit" NAME="submit"
> CLASS="submit">
> </FORM>
> <?php echo $end; ?>
> <?php
> }
> else{
> // _______________ _______________ _______________ __________ clean out
> previous entries
> session_registe r("permission") ;
> session_registe r("username") ;
>
> $username=$HTTP _POST_VARS["username"];
> $password=$HTTP _POST_VARS["password"];
> $permission = 0;
> session_start() ;
> if ($username=="lo gin" AND $password=="pas sword"){ $permission = 1;}
> if ($username=="se condlogin" AND $password=="mas terpassword"){
> $permission = 2;}
> //etc...
> $username=$HTTP _POST_VARS["username"];
> session_registe r("permission") ;
> session_registe r("username") ;
> if ($permission > 0){
> session_start() ;
> echo $front;
> ?>
> <H1>welcome <?php echo $username; ?></H1>
>
> <?php
> if (strpos($ref, '.php') === false) {
> $ref .= '.php?';
> }
> echo 'Congratulation s, login correct. <A
> HREF="'.$ref.'& amp;PHPSESSID=' .session_id().' ">Please continue</A>.';
> echo $end;
> ?>
> <?php
> }
> else{
> ?>
> <?php echo $front; ?>
> <H1>please try again <?php echo $username; ?></H1>
> Sorry: login NOT correct. <A HREF="login.php <?php echo
> '?ref='.$ref; ?>">Please try again</A>.
> <?php echo $end; ?>
> <?php
> }
> ?>
> <?php
> }
> ?>
>
>
>
> Then, in other pages, that you want to password protect, you put.
>
> <?php
> session_start() ;
> if ($permission < 1) {
> echo 'please <A HREF="login.php ?ref=mypage.php ">login first</A>';
> }
> else {
> [rest of the page.....]
> }
>
> Note that for this way you do need to use sessions... how they work, I
> have no idea, but they seem to work for me ... lol
>
> - Nicolaas
>
>[/color]

Re: multiple user password protection


"Kevin" <kevin@wxREMOVE 4SPAM3.com> wrote in message news:z86dnelMRe QwpmfcRVn-hw@comcast.com. ..[color=blue]
> Don't do it this way. If register globals is turned on, visitors can simply
> go to one of your "password protected" pages, add "?permissio n=1" to the URI
> and they will be allowed in.
>
>[/color]

True Kevin - is there a way of preventing this from happening? Could I say something like if session("permis sion) < 1 then lockout?

Re: multiple user password protection

This could be easily provented by referring the session variable as
$_SESSION["variable_n ame"] instead of $variable_name.

Re: multiple user password protection

If you are using sessions for authentication, I would recommend revalidating
the session's login information on each request (i.e., put the username &
password submitted into the session and check it each time) for two reasons:

1) If, for some reason, a page fails to call session_start() , a user can
populate the $_SESSION array from a query.
- and -
2) Let's say you delete a user from wherever you're storing user data
(database, file, etc.) If you validate on every request, they next time
s/he tries to do something, they will be stopped. If you trust a permission
variable stored in their session, they can continue doing whatever they want
until their session expires.

So I would instead put the "username" and "password" submitted into the
session and check it every time. Alternately use PHP with HTTP
authentication:


- Kevin

"WindAndWav es" <access@ngaru.c om> wrote in message
news:IzrKd.1258 6$mo2.972056@ne ws.xtra.co.nz.. .[color=blue]
>
> "Kevin" <kevin@wxREMOVE 4SPAM3.com> wrote in message
> news:z86dnelMRe QwpmfcRVn-hw@comcast.com. ..[color=green]
>> Don't do it this way. If register globals is turned on, visitors can
>> simply
>> go to one of your "password protected" pages, add "?permissio n=1" to the
>> URI
>> and they will be allowed in.
>>
>>[/color]
>
> True Kevin - is there a way of preventing this from happening? Could I
> say something like if session("permis sion) < 1 then lockout?
>
>
>[/color]

Re: multiple user password protection

Lou wrote:[color=blue]
> Please can someone put me out my misery!
> Im trying to find a multiple user/password protection script that[/color]
will[color=blue]
> redirect the specific user to a specific directory.[/color]

Google is your friend <http://www.google.com/search?q=php+lo gin>

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/